SOCs Require More Than a Band-Aid Approach

The “health” of security operations centers (SOC) is declining: it is becoming harder and harder for security teams to successfully prevent and remediate breaches.

Everyone in the industry intuitively understands that breaches are unavoidable. The goal is to find and terminate the attacker’s actions as fast as possible, shortening the time from breach to mitigation of the threat. But the challenge today is less about getting alerted to threats and more about responding to the right alert in the fastest way possible, reducing the amount of time the attacker can linger in the network.

Adding more white hats or analysts to a security team is an expensive, ineffective approach to the problem, and an approach that won’t scale. This is just “Band-Aid-ing” the bigger issue – the lack of a suitable command-and-control platform.

Current tools are not focused on finding the context and operationalizing security data. Instead they offer log-management and a capability to write different rules to trigger alerts with no underlying infrastructure that helps automatically draw the relationships between these incidents/alerts. The new security paradigm is to plan for attackers to penetrate your network – and this requires dramatic technology improvements to the SOC.

When I think about improving SOCs, I think about achieving radical improvements in efficiency and insight by working with existing detection tools.

More specifically, I would expect SOC teams to reduce alert-loads/workloads by 90 percent and reduce the combination of Mean Time to Identify and the Mean Time to Contain from months and weeks to hours and minutes. This means ensuring that the SOC is designed to leverage autonomous response where appropriate, but also arming analysts with the necessary tools to connect the dots across the security landscape to respond to threats effectively where human intervention will continue to be required.

To reach the ultimate goal of reducing breach incidents, we need to connect the dots faster. Data science allows us to integrate disparate solutions and analyze enormous volumes of data.

I’m not just speaking about analyzing security alerts and events; I mean information from any data store including business data, Active Directory, threat intelligence and more. SOCs also need the ability to actively connect to tools like EDR and network forensics.

Security analysts need help to take advantage of graph intelligence to understand the relationships between all relevant data in the network. Applying graph technologies to security, networking and business data provides incredible context that can be used to identify events that are truly significant.

Today, SOC platforms need to focus on aiding human cognitive abilities. They need to be “command-and-control platforms” and eliminate as much complexity from threat analysis and incident response processes as possible.

They also need to level up and make threat analysis and incident response easier by acting as a security integration fabric, pulling all available security tools and analytics into a single pane of glass. Then security analysts can focus on their real job – understanding the patterns and higher-order meaning of security events.